Everything You Need to Know About PCI DSS Compliance

  • 4 comments
  • Posted on:

PCI DSS complianceInstead of explaining every single detail about PCI compliance, I’ve decided to give you a brief rundown of the basics; then, I’ll point you to some resources that get even more in-depth on the subject.

The most important thing to remember from all of this is that PCI DSS compliance standards are constantly changing. What’s required today might be unnecessary tomorrow, and vice-versa. Additionally, your compliance obligations will vary depending on what type of business you are.

If you’re a small eCommerce site that uses a payment gateway like Authorize.Net, your responsibilities will be much less than if you’re a large brick-and-mortar merchant that stores your customer’s credit card numbers. The key is to figure out which requirements pertain to your business type, then ensure that you follow those guidelines to become compliant.

With that said, let’s cover the basics…

The PCI Security Standards Council (PCI SSC)

You’ve probably heard about these guys already. They’re the one’s that set the rules and tell us how to comply with them. They have the most up to date information about PCI compliance, so visit their site to learn more. Remember, their policies are changing regularly, so be sure to stay updated. Obviously, the most important page for you is going to be their “Merchants” page.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. These are standards set by the PCI SSC that merchant’s are required to follow, in order to remain compliant.

Where to Start

Chances are that you don’t have the time to become a PCI expert, so if I was you, I’d watch this PCI rock video, read this Quick Reference Guide, and call it a day. The video will introduce you to the whole PCI DSS stuff, and the guide will give you enough info to make a decision on what to do next.

This PCI for Dummies ebook by Qualys is also worth a read.

What’s Your Merchant Risk Level?

As I mentioned above, PCI requirements vary based on what your risk level is as a business. Click here to find out what risk level your business is.

Following the 12-Step Program for PCI DSS Compliance

The most important part of the PCI DSS compliance program are the 12-requirements as outlined in the Quick Reference Guide. Understand these, and you’ll be well on your way to understanding PCI compliance.

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need to know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

Self-Assessment Questionnaire (SAQ)

As you’ll learn in the Quick Reference Guide, the Self-Assessment Questionnaire (SAQ) is a quick and easy way for merchants (business owners) to find out which of the above requirements they need to comply with.

Everybody needs to take the SAQ, so you might as well take it now. Don’t forget to read the instructions first.

Using the Right Equipment for PCI Compliance

Turns out that you need to be using the right type of terminal/equipment if you plan on being compliant. Use this search engine to find out if your equipment is certified. If not, you probably have to upgrade.

Generally, when you sign up for a new merchant account, your provider will give you up-to-date and compliant equipment.

Small Merchants

If you’re a small merchant that doesn’t store anyone’s credit card information, consider yourself lucky! Besides a couple of minor tasks, your responsibilities will be minimal. Check out this link to learn more.

Conclusion

Not much more to say here. Read the above, follow the links, read the documents I’ve referenced, and you’ll be just fine. Don’t freak out over the complexity of it all. It doesn’t need to be too difficult.

Let me know if you have questions about PCI DSS compliance.

Amad Ebrahimi
Amad has worked in the eCommerce and online marketing world since 2002. He started as an eBay seller, then slowly graduated to building & marketing his own websites and consulting others to do the same. He founded Merchant Maverick out of frustration with all the misinformation and shady tactics that he encountered when trying to find a merchant account for his and his client's businesses. He's the man behind most of the merchant account reviews, and articles posted on MerchantMaverick.com. Have any questions related to credit card processing? Talk to him.
Amad Ebrahimi
Leave a comment

4 Comments

    Joe

    I process will Global Pat since 2009, i now see a fee of $175.00 built in to statement!
    I never noticed it because it was part of monthly bill.
    They was nothing to sign or e mail from global to inform me of charge!
    They have charge me and i’ll bet lots of customers these fees with out them knowing.
    Its been at least t 16 months @ $175.00 per month !
    I have my compliance certificate now,it wast easy on phone!
    They make it hard so u don’t comply!
    This sound like dirty pool?
    Will i be able to get my money back?
    I have had no issues with anything!
    Joe
    TY

    Chloe Bahal

    Hi Joe,

    Unfortunately there is a very slim chance of getting refunded. You might want to leave a review on the BBB website and see if they will reply to you. I hope this helps and if you have further questions please let me know.

    Charles Denyer

    Amad, great article regarding the 12 step process. Saving merchants fees on transactions also adds up, so nice to see these services offered and I’ll pass your information over to some of my larger clients. Additionally, don’t forget that one of the most important – and time consuming aspects of PCI DSS compliance – is developing all mandated policies and procedures. As a PCI-QSA for years, I’m constantly having to deal with my client’s challenges of having little or no documentation in place. If you look at the actual standards, there’s close to 50 or so policies and procedures that need to be in place, so finding a comprehensive policy packet is a must. PCI DSS is not always about the technical aspects, there’s a lot of documentation that has to be in place, so just remember that! There are numerous providers online offering cost-effective templates, so now it’s easier and more affordable than ever to put in place all mandated PCI specific documents.

    Keith A. Andales

    The most important thing to remember from all of this is that PCI compliance standards are constantly changing. What’s required today, might be unnecessary tomorrow, and vice-versa. Additionally, your compliance obligations will vary depending on what type of business you are.Nice article these is great looking forward to read more..

Leave a Reply

Your email address will not be published. Required fields are marked *

Your Review

Comment moderation is enabled. Your comment may take some time to appear.
Please read the "User Review and Comment Policy" before posting.

Share